Exemple #1
0
    def __init__(self, action, req, user_id, credstore, config):
        VCCSFactor.__init__(self, 'password')
        self._user_id = str(user_id)
        self._H1 = str(req['H1'])
        self.config = config
        self.credstore = credstore

        if len(self._H1) != 31:
            # A full bcrypt is 60 chars. the frontend should NOT send the whole
            # bcrypt digest to the authentication backend. bcrypt - salt = 31.
            raise VCCSAuthenticationError("Bad H1: {!r}".format(self._H1))

        if action == 'auth':
            _cred_id = str(req['credential_id'])
            self.cred = credstore.get_credential(_cred_id)
            if not self.cred:
                raise VCCSAuthenticationError("Unknown credential: {!r}".format(_cred_id))
            if self.cred.type() != self.type:
                raise VCCSAuthenticationError("Credential {!r} has unexpected type: {!r}".format(
                        self.cred.type()))
            if self.cred.version() != 'NDNv1':
                raise VCCSAuthenticationError("Unknown credential version: {!r}".format(
                        self.cred))
            # too few iterations is insecure, too many might be a DoS
            if self.cred.iterations() < config.kdf_min_iterations or \
                    self.cred.iterations() > config.kdf_max_iterations:
                raise VCCSAuthenticationError("Bad NDNv1 iterations count: {}".format(
                        self.cred.iterations()))
            # 16 bytes minimum (pwhash is hex encoded, so 32)
            if len(self.cred.derived_key()) < 32:
                raise VCCSAuthenticationError("Bad NDNv1 derived_key length: {}".format(
                        len(self.cred.derived_key())))
        elif action == 'add_creds':
            if config.add_creds_password_version != 'NDNv1':
                raise VCCSAuthenticationError("Add password credentials of version {!r} not implemented".format(
                        config.add_creds_password_version))
            if not config.add_creds_password_key_handle:
                raise VCCSAuthenticationError("Add password credentials key_handle not set".format(
                        config.add_creds_password_version))
            cred_data = {'type':          'password',
                         'status':        'active',
                         'version':       'NDNv1',
                         'kdf':           'PBKDF2-HMAC-SHA512',
                         'derived_key':   None,  # will be calculated later, in add_credential()
                         'key_handle':    config.add_creds_password_key_handle,
                         'iterations':    config.add_creds_password_kdf_iterations,
                         'salt':          None,  # will be added later, in add_credential()
                         'credential_id': str(req['credential_id']),
                         }
            self.cred = vccs_auth.credential.from_dict(cred_data, None)
        else:
            raise VCCSAuthenticationError("Unknown action {!r}".format(action))
Exemple #2
0
    def __init__(self, oath_type, action, req, user_id, credstore, config):
        VCCSFactor.__init__(self, oath_type)
        self.credstore = credstore
        config = config
        if action == 'auth':
            self.cred = credstore.get_credential(req['credential_id'])
            if not self.cred:
                raise VCCSAuthenticationError(
                    "Unknown credential: {!r}".format(req['credential_id']))

            if self.cred.version() != 'NDNv1':
                raise VCCSAuthenticationError(
                    "Unknown credential version: {!r}".format(self.cred))

            self._user_code = int(req['user_code'])
            self._user_id = user_id
        elif action == 'add_creds':
            if config.add_creds_oath_version != 'NDNv1':
                raise VCCSAuthenticationError(
                    "Add OATH credentials of version {!r} not implemented".
                    format(config.add_creds_password_version))
            if not req['key_handle'] in config.add_creds_oath_key_handles_allow:
                raise VCCSAuthenticationError(
                    "Add OATH credentials key_handle {!r} not in allowed list {!r}"
                    .format(req['key_handle'],
                            config.add_creds_oath_key_handles_allow))
            cred_data = {
                'type': self.type,
                'status': 'active',
                'version': 'NDNv1',
                'key_handle': req['key_handle'],
                'nonce': req['nonce'],
                'aead': req['aead'],
                'digits': req['digits'],
                'credential_id': req['credential_id'],
                'oath_counter': req['oath_counter'],
                'user_id': user_id,
            }
            self.cred = vccs_auth.credential.from_dict(cred_data, None)
        else:
            raise VCCSAuthenticationError("Unknown action {!r}".format(action))
Exemple #3
0
    def __init__(self, oath_type, action, req, user_id, credstore, config):
        VCCSFactor.__init__(self, oath_type)
        self.credstore = credstore
        config = config
        if action == 'auth':
            self.cred = credstore.get_credential(req['credential_id'])
            if not self.cred:
                raise VCCSAuthenticationError("Unknown credential: {!r}".format(req['credential_id']))

            if self.cred.version() != 'NDNv1':
                raise VCCSAuthenticationError("Unknown credential version: {!r}".format(
                        self.cred))

            self._user_code = int(req['user_code'])
            self._user_id = user_id
        elif action == 'add_creds':
            if config.add_creds_oath_version != 'NDNv1':
                raise VCCSAuthenticationError("Add OATH credentials of version {!r} not implemented".format(
                        config.add_creds_password_version))
            if not req['key_handle'] in config.add_creds_oath_key_handles_allow:
                raise VCCSAuthenticationError("Add OATH credentials key_handle {!r} not in allowed list {!r}".format(
                        req['key_handle'], config.add_creds_oath_key_handles_allow))
            cred_data = {'type':          self.type,
                         'status':        'active',
                         'version':       'NDNv1',
                         'key_handle':    req['key_handle'],
                         'nonce':         req['nonce'],
                         'aead':          req['aead'],
                         'digits':        req['digits'],
                         'credential_id': req['credential_id'],
                         'oath_counter':  req['oath_counter'],
                         'user_id':       user_id,
                         }
            self.cred = vccs_auth.credential.from_dict(cred_data, None)
        else:
            raise VCCSAuthenticationError("Unknown action {!r}".format(action))
Exemple #4
0
    def __init__(self, action, req, user_id, credstore, config):
        VCCSFactor.__init__(self, 'password')
        self._user_id = str(user_id)
        self._H1 = str(req['H1'])
        self.config = config
        self.credstore = credstore

        if self._H1.startswith('$'):
            # If the frontend uses bcrypt() to generate H1, it should NOT send the whole
            # bcrypt digest to the authentication backend. The salt is better kept separate
            # in the frontend.
            raise VCCSAuthenticationError("Bad H1: {!r}".format(self._H1))

        if len(self._H1) < 31:
            # Ensure a minimum length.
            raise VCCSAuthenticationError("Bad H1: {!r}".format(self._H1))

        try:
            # see if H1 is hex encoded, otherwise leave unaltered
            _decoded = self._H1.decode('hex')
            self._H1 = _decoded
        except Exception:
            pass

        if action == 'auth':
            _cred_id = str(req['credential_id'])
            self.cred = credstore.get_credential(_cred_id)
            if not self.cred:
                raise VCCSAuthenticationError(
                    "Unknown credential: {!r}".format(_cred_id))
            if self.cred.type() != self.type:
                raise VCCSAuthenticationError(
                    "Credential {!r} has unexpected type: {!r}".format(
                        self.cred.type()))
            if self.cred.version() != 'NDNv1':
                raise VCCSAuthenticationError(
                    "Unknown credential version: {!r}".format(self.cred))
            # too few iterations is insecure, too many might be a DoS
            if self.cred.iterations() < config.kdf_min_iterations or \
                    self.cred.iterations() > config.kdf_max_iterations:
                raise VCCSAuthenticationError(
                    "Bad NDNv1 iterations count: {}".format(
                        self.cred.iterations()))
            # 16 bytes minimum (pwhash is hex encoded, so 32)
            if len(self.cred.derived_key()) < 32:
                raise VCCSAuthenticationError(
                    "Bad NDNv1 derived_key length: {}".format(
                        len(self.cred.derived_key())))
        elif action == 'add_creds':
            if config.add_creds_password_version != 'NDNv1':
                raise VCCSAuthenticationError(
                    "Add password credentials of version {!r} not implemented".
                    format(config.add_creds_password_version))
            if not config.add_creds_password_key_handle:
                raise VCCSAuthenticationError(
                    "Add password credentials key_handle not set".format(
                        config.add_creds_password_version))
            cred_data = {
                'type': 'password',
                'status': 'active',
                'version': 'NDNv1',
                'kdf': 'PBKDF2-HMAC-SHA512',
                'derived_key':
                None,  # will be calculated later, in add_credential()
                'key_handle': config.add_creds_password_key_handle,
                'iterations': config.add_creds_password_kdf_iterations,
                'salt': None,  # will be added later, in add_credential()
                'credential_id': str(req['credential_id']),
            }
            self.cred = vccs_auth.credential.from_dict(cred_data, None)
        else:
            raise VCCSAuthenticationError("Unknown action {!r}".format(action))